Some development snapshots of PuTTY, when presented with an invalid
ECDSA key, will zero unrelated memory.

(Since this vulnerability is in the as-yet-unreleased
ECDSA implementation, no released version
of PuTTY is affected.)

The ecdsa_newkey function is the part of PuTTY that
converts ECDSA public keys from SSH-2 wire format into a format that
can be used internally. If this conversion fails part-way through,
PuTTY attempts to erase the memory holding the part-constructed
internal key. One of the fields of the internal format is not
initialised to NULL before the first possible failure point, so PuTTY
can end up erasing memory unrelated to the key being loaded. It's
possible that this could be exploited to cause PuTTY to erase
something important.

The ecdsa_newkey function is called whenever PuTTY
receives an ECDSA host key from an SSH-2 server, including during
initial key exchange. This means that an attack could be mounted by a
man in the middle before PuTTY has validated the host key.

This is a particular problem because in an SSH-2 connection, PuTTY
converts the server-presented host key into internal format before
checking that it's the correct host key, so a man in the middle could
cause trouble even if the user is connecting to a trustworthy server.